This detection rule aims to identify potential hijacking attempts of the Antimalware Scan Interface (AMSI) COM Server by monitoring changes to the registry key associated with the AMSI COM server. The malicious activity consists of altering the CLSID entry for AMSI's InProcServer32 to point to a non-existent or malicious DLL file. When AMSI tries to invoke its COM component, it retrieves an erroneous CLSID, resulting in a load failure. This failure effectively disables AMSI's scanning capabilities, allowing malware to bypass detection mechanisms that would otherwise alert the system to a security threat. By keeping track of specific registry modifications, this rule serves as an essential tool for identifying and mitigating such evasive tactics employed by threat actors.